From 0ecaa9b8ee273eb41394c838b0f39a4683bb5e2a Mon Sep 17 00:00:00 2001
From: Philip Sargent <philip.sargent@klebos.com>
Date: Sun, 28 Mar 2021 15:40:07 +0100
Subject: [PATCH] Disable "secure" (i.e. SSL trabsport only) cookies

---
 settings.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/settings.py b/settings.py
index 20a0d63..80fb84b 100644
--- a/settings.py
+++ b/settings.py
@@ -109,8 +109,8 @@ SECRET_KEY = "not-the-real-secret-key-a#vaeozn0---^fj!355qki*vj2"
 LOGIN_REDIRECT_URL = '/'
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
-#SESSION_COOKIE_SECURE = True # if enabled, cannot login to Django control panel, bug elsewhere?
-CSRF_COOKIE_SECURE = True
+# SESSION_COOKIE_SECURE = True # if enabled, cannot login to Django control panel, bug elsewhere?
+# CSRF_COOKIE_SECURE = True # if enabled only sends cookies over SSL
 X_FRAME_OPTIONS = 'SAMEORIGIN'  # change to "DENY" after we eliminate all the iframes e.g. /xmlvalid.html
 
 INSTALLED_APPS = (